Choose your framework/language

v5v6
Edit on GitHub

Page updated Jan 16, 2024

Override Amplify-generated Cognito resources

1amplify override auth

Run the command above to override Amplify-generated auth resources including Amazon Cognito user pool, identity pool, user pool groups, and more.

The command creates a new overrides.ts file under amplify/backend/auth/<resource-name>/ which provides you the Amplify-generated resources as CDK constructs.

Customize Amplify-generated Cognito auth resources

Apply all the overrides in the override(...) function. For example, to update the temporary password validity days for your Cognito user pool:

1import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper';
2

3export function override(resources: AmplifyAuthCognitoStackTemplate) {
4  resources.userPool.policies = { // Set the user pool policies
5    passwordPolicy: {
6      ...resources.userPool.policies["passwordPolicy"], // Carry over existing settings
7      temporaryPasswordValidityDays: 3 // Add new setting not provided Amplify's default
8    }
9  }
10}

Or add a custom attribute to your Cognito user pool:

Removing or adding an attribute on a Cognito userpool schema including default attributes (e.g. email) will cause errors such as Invalid AttributeDataType input, consider using the provided AttributeDataType enum as CloudFormation interprets this as schema change.

Custom attributes can not be renamed or deleted after you create them.

1import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper'
2

3export function override(resources: AmplifyAuthCognitoStackTemplate) {
4  const myCustomAttribute = {
5    attributeDataType: 'String',
6    developerOnlyAttribute: false,
7    mutable: true,
8    name: 'my_custom_attribute',
9    required: false,
10  }
11  resources.userPool.schema = [
12    ...(resources.userPool.schema as any[]), // Carry over existing attributes (example: email)
13    myCustomAttribute,
14  ]
15}

You can override the following auth resources that Amplify generates:

Amplify-generated resourceDescription
customMessageConfirmationBucketS3 bucket used for custom message triggers
snsRoleSNS role for sending authentication-related messages
userPoolThe Cognito user pool that enables user sign-up and sign-in
userPoolClientWebA Cognito user pool client for web apps
userPoolClientA Cognito user pool client for mobile apps
identityPoolA Cognito identity pool to federate identities
identityPoolRoleMapRole mapping for authenticated and unauthenticated user roles
lambdaConfigPermissionsPermissions for Lambda function to access Cognito user pool and identity pool
lambdaTriggerPermissionsIAM policy attached to Cognito Lambda triggers
userPoolClientLambdaLambda function to fetch app client secret from user pool client
userPoolClientRoleIAM Role for Lambda function to fetch app client secret from user pool client
userPoolClientLambdaPolicyIAM Policy for Lambda function to fetch app client secret from user pool client
userPoolClientLogPolicyIAM Policy to enable CloudWatch logging for Lambda function to fetch app client secret from user pool client
userPoolClientInputsCustom CloudFormation resource to fetch app client secret from user pool client
hostedUICustomResourceLambda function to enable Cognito user pool Hosted UI login
hostedUICustomResourcePolicyIAM Policy for Lambda function to enable Cognito user pool Hosted UI login
hostedUICustomResourceLogPolicyIAM Policy to enable CloudWatch logging for Lambda function to enable Cognito user pool Hosted UI login
hostedUICustomResourceInputsCustom CloudFormation resource to enable Cognito user pool Hosted UI login
hostedUIProvidersCustomResourceLambda function to configure Hosted UI with 3rd party identity providers
hostedUIProvidersCustomResourcePolicyIAM Policy for Lambda function to configure Hosted UI with 3rd party identity provider
hostedUIProvidersCustomResourceLogPolicyIAM Policy to enable CloudWatch logging for Lambda function to configure Hosted UI with 3rd party identity provider
hostedUIProvidersCustomResourceInputsCustom CloudFormation resource to configure Hosted UI with 3rd party identity provider
oAuthCustomResourceLambda function to enable OAuth
oAuthCustomResourcePolicyIAM Policy for OAuth custom CloudFormation resource
oAuthCustomResourceLogPolicyIAM Policy to enable CloudWatch logging for OAuth Lambda function
oAuthCustomResourceInputsCustom CloudFormation resource to enable OAuth
mfaLambdaLambda function to enable multi-factor authentication function
mfaLogPolicyIAM Policy to enable CloudWatch logging for multi-factor authentication Lambda function
mfaLambdaPolicyIAM Policy for multi-factor authentication Lambda function
mfaLambdaInputsCustom CloudFormation resource to enable multi-factor authentication
mfaLambdaRoleIAM Execution Role for multi-factor authentication Lambda function
openIdLambdaLambda function to enable OpenID Connect
openIdLogPolicyIAM Policy to enable CloudWatch logging for OpenID Connect Lambda function
openIdLambdaIAMPolicyIAM Policy to enable OpenID Connect Lambda function
openIdLambdaInputsCustom CloudFormation resource to enable OpenID Connect
openIdLambdaRoleLambda Execution Role for OpenID Connect Lambda function

Customize Amplify-generated Cognito user group resources

Apply all the overrides in the override(...) function. For example to add a path to the lambda execution role that facilitates the user pool group to role mapping:

1import { AmplifyUserPoolGroupStackTemplate } from '@aws-amplify/cli-extensibility-helper';
2

3export function override(resources: AmplifyUserPoolGroupStackTemplate) {
4  resources.lambdaExecutionRole.path = "/<my-path>/" // Note: CFN does not allow you to modify the path after creation
5}

You can override the following user pool group resources that Amplify generates:

Amplify-generated resourceDescription
userPoolGroupThe map of user pool groups
userPoolGroupRoleThe map of user pool group roles
roleMapCustomResourceA custom CloudFormation resource to map user pool groups to their roles
lambdaExecutionRoleLambda execution role for the "user pool group"-to-role mapping function
roleMapLambdaFunctionThe Lambda function that facilitates the user pool group to role mapping

Customize Amplify-generated Cognito auth resources with social providers

Apply all the overrides in the override(...) function. For example to add social providers to your Cognito user pool:

1import { AmplifyAuthCognitoStackTemplate } from "@aws-amplify/cli-extensibility-helper";
2

3export function override(resources: AmplifyAuthCognitoStackTemplate) {
4  resources.addCfnResource(
5    {
6      type: "AWS::Cognito::UserPoolIdentityProvider",
7      properties: {
8        AttributeMapping: {
9          preferred_username: "email",
10          email: "email"
11        },
12        ProviderDetails: {
13          client_id: "test",
14          client_secret: "test",
15          authorize_scopes: "test",
16        },
17        ProviderName: "LoginWithAmazon",
18        ProviderType: "LoginWithAmazon",
19        UserPoolId: {
20          Ref: "UserPool",
21        },
22      },
23    },
24    "amazon-social-provider"
25  );
26}
PREVIOUS
Use an existing Cognito User Pool and Identity Pool
NEXT
Listen to auth events
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.